Hi there! I'm having this issue I would like to share with you, I hope to find a solution.
This is the scenario:
- Two different apps, let's call them development and development_panel
- Both apps uses the same model (shared through symlinks)
- development_panel app is served at panel.development.com
- Login is done in development_panel app and cookie is shared for development app (so, the visitor logs in at panel.development.com and that cookie is shared also with development.com)
How does it work?
First, I have the domains mapped to apps within my routes.py
routers = dict(
BASE=dict(
default_controller='default',
default_function='index',
map_static=True,
exclusive_domain=True,
)
)
Notice exclusive_domain=True, meaning that each app can be accessed only through the specificed domain, and not from another one. This works like a charm.
Second, the db.py file is defined in one app, and symlinked from the other one. The "databases" folder was moved out from inside the app folder, so it is specified when instantiating DAL:
db = DAL(
'postgres://%s:%s@%s/%s' % (CONFIG.db_user, CONFIG.db_user_password, CONFIG.db_host, CONFIG.db_name),
migrate=False,
lazy_tables=True,
folder=CONFIG.databases_folder)
Third, both apps connect to the session specifying development as the masterapp:
session.connect(request, response, db=db, masterapp='development')
Fourth and last, this code is right after session.connect, and it's the one that makes the magic.
This two lines of code are the ones needed in order to share the login session between the two apps:
if response.session_id_name in response.cookies:
response.cookies[response.session_id_name]['domain'] = 'development.com'
Now, remember the login is done in development_panel and development is defined as the masterapp. Well, all this is working ok, I have several websites running this way (every website has its own domain and its couple of apps installed, served the same way as the example I exposed). However, very few customers are reporting they can't login. Actually, they login successfully to the panel, but then they go to the main domain and they aren't logged in anymore. That is, the cookie is being written but not read (not shared across domains). This happens only on a specific subset of devices and browsers (so far, it's been reported to happen a lot in Safari for iPhone).
As I said, the current approach is working for the vast majority of customers. However, as some of them reported the problem, I wanted to check the cookies. And that's when I saw all this mess, or at least I think it's a mess.
Having erased all cookies from the browser, without being logged in, I go to the login page at
panel.development.com and this is what I see in the cookies:
I can already see a strange cookie "session_id_development_panel" that I don't know where it comes from.
I checked the gluon/globals.py code to see where is that name generated:
https://github.com/web2py/web2py/blob/master/gluon/globals.py#L846
Notice it uses the masterapp to generate that name, and if you check my previous code, you will see that I connect to the session using masterapp='development'.
So where does session_id_development_panel comes from?
What is more weird is this: after a successfull login, the app takes me to the main domain, and there I see these cookies:
Notice the duplicated cookie name with different values. Where does it come from?
Now that I see all this, I'm starting to think that the problem reported by some customers is produced by this cookie mess.
Somehow Chrome, Firefox and Edge don't complain about this and it works ok. However some browsers don't like this, and refuse to share the cookie.
Any thoughts? Anything I should check or modify?
I've read documentation about cookies:
http://web2py.com/books/default/chapter/29/4#Cookies
There, you can see what is needed in order to share the cookie across multiple domains, but the documentation mentions a single app.
What about my case? I know there is something that I have to change, but I can't figure out what.
Any help will be appreciated.
Thanks in advance!
Regards,
Lisandro.
